Http://Docs.fortinet.com - Fortinet FortiMail-100 Install Manual

Secure messaging platform

Hide thumbs Also See for FortiMail-100:

Quick start manual (2 pages)

Quick start manual (2 pages)

Quick start manual (2 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

Table of Contents

Example 3: FortiMail unit for an ISP or carrier

132

When a device joins the network of its service provider, such as a cellular phone carrier or

DSL provider, it may use a protocol such as PPPoE or PPPoA which supports

authentication. The network access server (NAS) queries the remote authentication dial-in

user (RADIUS) server for authentication and access authorization. If successful, the

RADIUS server then creates a record which associates the device's MSISDN, subscriber

ID, or other identifier with its current IP address.

The server, next acting as a RADIUS client, sends an accounting request with the

mapping to the FortiMail unit. (The FortiMail unit acts as an auxiliary accounting server if

the MSISDN reputation daemon is enabled.) The FortiMail unit then stores the mappings,

and uses them for the MSISDN reputation feature.

When the device leaves the network or changes its IP address, the RADIUS server acting

as a client requests that the FortiMail unit stop accounting (that is, remove its local record

of the IP-to-MSISDN/subscriber ID mapping). The FortiMail unit keeps the reputation

score associated with the MSISDN or subscriber ID, which will be re-mapped to the new

IP address upon the next time that the mobile device joins the network.

The MSISDN reputation feature can be used with traditional email, but it can also be used

with MMS text messages.

The multimedia messaging service (MMS) protocol transmits graphics, animations, audio,

and video between mobile phones. There are eight interfaces defined for the MMS

standard, referred to as MM1 through MM8. MM3 uses SMTP to transmit text messages

to and from mobile phones. Because it can be used to transmit content, spammers can

also use MMS to send spam.

You can blacklist MSISDNs or subscriber IDs to reduce MMS and email spam.

In addition to manually blacklisting or exempting MSISDNs and subscriber IDs, you can

configure automatic blacklisting based upon MSISDN reputation score. If a carrier end

point sends email or text messages that the FortiMail unit detects as spam, the MSISDN

reputation score increases. You can configure session profiles to log or block, for a period

of time, email and text messages from carrier end points whose MSISDN reputation score

exceeds the threshold during the automatic blacklisting window.

FortiAnalyzer units that receive logs from FortiMail units can also produce extensive spam

and virus reports for each subscriber's end point identifier.

To configure your RADIUS server

1 On your RADIUS server, configure the FortiMail unit as an auxiliary RADIUS server, to

which it will send copies when its accounting records change.

2 Specify that it should send the Calling-Station-Id and Framed-IP-Address

attributes to the FortiMail unit.

The data type of the value of Calling-Station-Id may vary. For 3G subscribers,

the RADIUS server typically uses Calling-Station-Id to contain an MSISDN. For

ADSL subscribers, the RADIUS server typically uses to contain a login ID, such as an

email address.

3 Determine whether your RADIUS server sends the Framed-IP-Address attribute's

value in network order (e.g. 192.168.1.10) or host order (e.g. 10.1.168.192).

4 Verify that routing and firewall policies permit RADIUS accounting records to reach the

FortiMail unit.

FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide

Transparent mode deployment

Revision 2